# PowerShell脚本：修复数据库文件权限
# EndoSight-UC 医疗AI系统 - 数据库安全紧急修复

Write-Host "=== 数据库权限安全修复 ===" -ForegroundColor Green
Write-Host "开始时间: $(Get-Date)" -ForegroundColor Yellow

$dataPath = ".\data"
$dbFiles = @(
    "$dataPath\endo_sight_uc.db",
    "$dataPath\endo_sight_uc.db-shm",
    "$dataPath\endo_sight_uc.db-wal"
)

# 检查数据库文件是否存在
Write-Host "检查数据库文件..." -ForegroundColor Cyan
foreach ($file in $dbFiles) {
    if (Test-Path $file) {
        Write-Host "✓ 找到: $file" -ForegroundColor Green

        # 获取当前权限
        $acl = Get-Acl $file
        Write-Host "当前权限:" -ForegroundColor Yellow
        $acl.Access | ForEach-Object {
            Write-Host "  $($_.IdentityReference.Value): $($_.FileSystemRights)" -ForegroundColor Gray
        }
    } else {
        Write-Host "✗ 未找到: $file" -ForegroundColor Red
    }
}

# 移除不必要的访问权限
Write-Host "`n移除不必要的访问权限..." -ForegroundColor Cyan
foreach ($file in $dbFiles) {
    if (Test-Path $file) {
        $acl = Get-Acl $file

        # 移除Users组的访问权限
        $usersRule = $acl.Access | Where-Object { $_.IdentityReference.Value -eq "BUILTIN\Users" }
        if ($usersRule) {
            $acl.RemoveAccessRule($usersRule) | Out-Null
            Write-Host "✓ 移除Users组权限: $file" -ForegroundColor Green
        }

        # 移除Authenticated Users的访问权限
        $authUsersRule = $acl.Access | Where-Object { $_.IdentityReference.Value -eq "NT AUTHORITY\Authenticated Users" }
        if ($authUsersRule) {
            $acl.RemoveAccessRule($authUsersRule) | Out-Null
            Write-Host "✓ 移除Authenticated Users权限: $file" -ForegroundColor Green
        }

        # 移除Everyone的访问权限
        $everyoneRule = $acl.Access | Where-Object { $_.IdentityReference.Value -eq "Everyone" }
        if ($everyoneRule) {
            $acl.RemoveAccessRule($everyoneRule) | Out-Null
            Write-Host "✓ 移除Everyone权限: $file" -ForegroundColor Green
        }

        # 应用新的权限设置
        Set-Acl $file $acl
        Write-Host "✓ 权限已更新: $file" -ForegroundColor Green
    }
}

# 设置目录权限
Write-Host "`n设置数据目录权限..." -ForegroundColor Cyan
if (Test-Path $dataPath) {
    $dirAcl = Get-Acl $dataPath

    # 移除继承权限
    $dirAcl.SetAccessRuleProtection($true, $false) | Out-Null

    # 只保留当前用户和系统的访问权限
    $dirAcl.Access | ForEach-Object {
        if ($_.IdentityReference.Value -notmatch "^(BUILTIN\\Administrators|NT AUTHORITY\\SYSTEM|$($env:USERNAME))") {
            $dirAcl.RemoveAccessRule($_) | Out-Null
            Write-Host "✓ 移除目录权限: $($_.IdentityReference.Value)" -ForegroundColor Green
        }
    }

    Set-Acl $dataPath $dirAcl
    Write-Host "✓ 数据目录权限已设置" -ForegroundColor Green
}

# 验证修复结果
Write-Host "`n验证权限修复结果..." -ForegroundColor Cyan
foreach ($file in $dbFiles) {
    if (Test-Path $file) {
        $acl = Get-Acl $file
        Write-Host "文件: $file" -ForegroundColor Yellow
        $acl.Access | ForEach-Object {
            $color = if ($_.IdentityReference.Value -match "^(BUILTIN\\Administrators|NT AUTHORITY\\SYSTEM|$($env:USERNAME))") { "Green" } else { "Red" }
            Write-Host "  $($_.IdentityReference.Value): $($_.FileSystemRights)" -ForegroundColor $color
        }
    }
}

Write-Host "`n=== 数据库权限修复完成 ===" -ForegroundColor Green
Write-Host "完成时间: $(Get-Date)" -ForegroundColor Yellow
Write-Host "建议: 立即重启应用程序以确保权限生效" -ForegroundColor Magenta